From 9fa3b076938a16f66bf8cc07a934d8ec206b545d Mon Sep 17 00:00:00 2001 From: gdesmar <75089569+gdesmar@users.noreply.github.com> Date: Thu, 26 Sep 2024 15:41:16 +0000 Subject: [PATCH] Migrate to service template --- .cruft.json | 23 +++ .dockerignore | 32 ++++ .gitignore | 142 +++++++++++++++++- .vscode/launch.json | 21 +++ CONTRIBUTING.md | 56 ++++++- Dockerfile | 24 ++- LICENCE.md | 11 -- LICENSE | 22 +++ Makefile | 26 ++++ README.md | 82 +++++++++- {api_vector => apivector}/__init__.py | 0 .../api_vector.py => apivector/apivector.py | 5 +- .../ordlookup/__init__.py | 0 .../ordlookup/oleaut32.py | 0 {api_vector => apivector}/ordlookup/ws2_32.py | 0 {api_vector => apivector}/updater.py | 0 {api_vector => apivector}/winapi1024v1.txt | 0 pkglist.txt | 0 pyproject.toml | 2 + requirements.txt | 2 + service_manifest.yml | 27 +++- tests/gentests.py | 30 ++++ tests/gentests.sh | 22 +++ tests/pytest.sh | 22 +++ tests/requirements.txt | 3 + .../result.json | 84 +++++++++++ tests/test_apivector.py | 24 +++ 27 files changed, 620 insertions(+), 40 deletions(-) create mode 100644 .cruft.json create mode 100644 .dockerignore create mode 100644 .vscode/launch.json delete mode 100644 LICENCE.md create mode 100644 LICENSE create mode 100644 Makefile rename {api_vector => apivector}/__init__.py (100%) rename api_vector/api_vector.py => apivector/apivector.py (96%) rename {api_vector => apivector}/ordlookup/__init__.py (100%) rename {api_vector => apivector}/ordlookup/oleaut32.py (100%) rename {api_vector => apivector}/ordlookup/ws2_32.py (100%) rename {api_vector => apivector}/updater.py (100%) rename {api_vector => apivector}/winapi1024v1.txt (100%) create mode 100644 pkglist.txt create mode 100644 pyproject.toml create mode 100755 tests/gentests.py create mode 100755 tests/gentests.sh create mode 100755 tests/pytest.sh create mode 100644 tests/requirements.txt create mode 100644 tests/results/da178ddb7a9375f3ce644a75c2acfd9621c0e5cc7b8d376d0785f71fc90e2756/result.json create mode 100644 tests/test_apivector.py diff --git a/.cruft.json b/.cruft.json new file mode 100644 index 0000000..87527de --- /dev/null +++ b/.cruft.json @@ -0,0 +1,23 @@ +{ + "template": "git@github.com:CybercentreCanada/assemblyline-service-template.git", + "commit": "3a814ab822dc6f42558cb3727a2857afdcb50b2f", + "checkout": null, + "context": { + "cookiecutter": { + "service_name": "apivector", + "__svc_name": "apivector", + "__repository": "assemblyline-service-apivector", + "__pkg_name": "apivector", + "__class_name": "Apivector", + "short_description": "This service extracts library imports from windows PE files or memory dump to generate api vector classification.", + "short_description_fr": "Ce service extrait les importations de libraries des executables Windows ou des fichiers mémoire pour générer une classification vectorielle des api.", + "stage": "CORE", + "category": "Static Analysis", + "org_name_full": "CybercentreCanada", + "org_name_short": "cccs", + "license": "mit", + "_template": "git@github.com:CybercentreCanada/assemblyline-service-template.git" + } + }, + "directory": null +} diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..5f78d7b --- /dev/null +++ b/.dockerignore @@ -0,0 +1,32 @@ +Dockerfile +.idea +.git +.gitignore +.vscode +.dockerignore + +pipelines +venv +.venv +env +.env +test +tests +examples +docs + +build +dist +**/__pycache__ +**/*.pyc + +pip-log.txt +pip-delete-this-directory.txt +.tox +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.log diff --git a/.gitignore b/.gitignore index b80296d..78f6696 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,7 @@ +# Created by https://www.toptal.com/developers/gitignore/api/python,vim,visualstudiocode +# Edit at https://www.toptal.com/developers/gitignore?templates=python,vim,visualstudiocode + +### Python ### # Byte-compiled / optimized / DLL files __pycache__/ *.py[cod] @@ -6,11 +10,6 @@ __pycache__/ # C extensions *.so -# IDE files -.pydevproject -.python-version -.idea - # Distribution / packaging .Python build/ @@ -60,6 +59,22 @@ cover/ *.mo *.pot +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + # PyBuilder .pybuilder/ target/ @@ -71,6 +86,43 @@ target/ profile_default/ ipython_config.py +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/#use-with-ide +.pdm.toml + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + # Environments .env .venv @@ -80,9 +132,85 @@ ENV/ env.bak/ venv.bak/ +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + # Cython debug symbols cython_debug/ -*malpedia_apivector_list.csv +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ + +### Python Patch ### +# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration +poetry.toml + +# ruff +.ruff_cache/ + +# LSP config files +pyrightconfig.json + +### Vim ### +# Swap +[._]*.s[a-v][a-z] +!*.svg # comment out if you don't need vector files +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist +*~ +# Auto-generated tag files +tags +# Persistent undo +[._]*.un~ + +### VisualStudioCode ### +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +!.vscode/*.code-snippets + +# Local History for Visual Studio Code +.history/ + +# Built Visual Studio Code Extensions +*.vsix + +### VisualStudioCode Patch ### +# Ignore all local history of files +.history +.ionide -malpediaclient/config\.py +# End of https://www.toptal.com/developers/gitignore/api/python,vim,visualstudiocode diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 0000000..7fe4825 --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,21 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "name": "RunServiceOnce", + "type": "python", + "request": "launch", + "module": "assemblyline_v4_service.dev.run_service_once", + "cwd": "${workspaceFolder}", + "args": [ + "-d", + "apivector.apivector.APIVector", + "${file}" + ], + "justMyCode": false, + }, + ] +} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e0a60cc..b9785be 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,24 +2,68 @@ This guide covers the basics of how to contribute to the Assemblyline project. -Python code should follow the PEP8 guidelines defined here: [PEP8 Guidelines](https://www.python.org/dev/peps/pep-0008/). +Python code should follow the PEP8 guidelines defined here: +[PEP8 Guidelines](https://www.python.org/dev/peps/pep-0008/). ## Tell us want you want to build/fix -Before you start coding anything you should connect with the Assemblyline community via the [Assemblyline Discord server](https://discord.gg/GUAy9wErNu) and/or the [central Assemblyline GitHub project](https://github.com/CybercentreCanada/assemblyline/issues) to make sure no one else is working on the same thing and that whatever you are going to build still fits with the vision of the system. + +Before you start coding anything you should connect with the Assemblyline community via the +[Assemblyline Discord server](https://discord.gg/GUAy9wErNu) and/or the +[central Assemblyline GitHub project](https://github.com/CybercentreCanada/assemblyline/issues) to make sure no one +else is working on the same thing and that whatever you are going to build still fits with the vision of the system. ## Git workflow - Clone the repo to your own account - Checkout and pull the latest commits from the master branch - Make a branch -- Work in any way you like and make sure your changes actually work -- When you're satisfied with your changes, create a pull requests to the main assemblyline repo +- Work on your modifications and make sure your changes work as expected +- When you're satisfied with your changes, create a pull requests to the Assemblyline repo #### Transfer your service repo -If you've worked on a new service that you want to be included in the default service selection you'll have to transfer the repo into our control. + +If you've worked on a new service that you want to be included in the default service selection you'll have to transfer +the associated repo into our control. #### You are not allow to merge: -Even if you try to merge in your pull request, you will be denied. Only a few people in our team are allowed to merge code into our repositories. +Even if you try to merge in your pull request, you will be denied. Only a few people in our team are allowed to merge +code into our repositories. We check for new pull requests every day and will merge them in once they have been approved by someone in our team. + +# Guide de contribution d'Assemblyline + +Ce guide couvre les bases de la façon de contribuer au projet Assemblyline. + +Le code Python doit suivre les directives PEP8 définies ici: +[Directives PEP8](https://www.python.org/dev/peps/pep-0008/). + +## Dites-nous que vous voulez construire / réparer + +Avant de commencer à coder quoi que ce soit, vous devriez vous connecter à la communauté Assemblyline via le +[Serveur Discord Assemblyline](https://discord.gg/GUAy9wErNu) et/ou le +[projet GitHub central Assemblyline](https://github.com/CybercentreCanada/assemblyline/issues) pour vous assurer que +personne d'autre ne travaille sur la même chose et que tout ce que vous allez construire correspond toujours à la vision +du système. + +## Flux de travail avec Git + +- Clonez le référentiel sur votre propre compte +- Changez de branche pour la branche principale et la synchroniser avec le serveur de référence +- Faire une nouvelle branche +- Travaillez sur ce que vous souhaitez et assurez-vous que vos modifications fonctionnent comme prévu +- Lorsque vous êtes satisfait de vos modifications, créez une demande de fusion sur le référentiel d'Assemblyline + +#### Transférer votre référentiel de service + +Si vous avez travaillé sur un nouveau service que vous souhaitez inclure dans la sélection de service par défaut, vous +devrez transférer le référentiel associé sous notre contrôle. + +#### Vous n'êtes pas autorisé à compléter une fusion: + +Même si vous tentez de compléter une demande de fusion, vous serez refusé. Seules quelques personnes de notre équipe +sont autorisées à fusionner dans nos référentiels. + +Nous vérifions les nouvelles demande de fusion tous les jours et les fusionnerons une fois qu'elles auront été approuvées +par quelqu'un de notre équipe. diff --git a/Dockerfile b/Dockerfile index 575f1a8..d67123a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,19 +1,33 @@ ARG branch=latest FROM cccs/assemblyline-v4-service-base:$branch -# Set service to be run -ENV SERVICE_PATH api_vector.api_vector.API_VECTOR +# Python path to the service class from your service directory +ENV SERVICE_PATH apivector.apivector.APIVector -# Install python dependancies +# Install apt dependencies +USER root +COPY pkglist.txt /tmp/setup/ +RUN apt-get update && \ + apt-get upgrade -y && \ + apt-get install -y --no-install-recommends \ + $(grep -vE "^\s*(#|$)" /tmp/setup/pkglist.txt | tr "\n" " ") && \ + rm -rf /tmp/setup/pkglist.txt /var/lib/apt/lists/* + +# Install python dependencies +USER assemblyline COPY requirements.txt requirements.txt -RUN pip install --no-cache-dir --user --requirement requirements.txt && rm -rf ~/.cache/pip +RUN pip install \ + --no-cache-dir \ + --user \ + --requirement requirements.txt && \ + rm -rf ~/.cache/pip # Copy service code WORKDIR /opt/al_service COPY . . # Patch version in manifest -ARG version=4.2.0.dev1 +ARG version=1.0.0.dev1 USER root RUN sed -i -e "s/\$SERVICE_TAG/$version/g" service_manifest.yml diff --git a/LICENCE.md b/LICENCE.md deleted file mode 100644 index c297d96..0000000 --- a/LICENCE.md +++ /dev/null @@ -1,11 +0,0 @@ -MIT License - -Copyright (c) 2021 Crown Copyright, Government of Canada (Canadian Centre for Cyber Security / Communications Security Establishment) - -Copyright title to all 3rd party software distributed with Assemblyline (AL) is held by the respective copyright holders as noted in those files. Users are asked to read the 3rd Party Licenses referenced with those assets. - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..e8a2399 --- /dev/null +++ b/LICENSE @@ -0,0 +1,22 @@ +MIT License + +Copyright (c) 2024 CybercentreCanada + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1b76254 --- /dev/null +++ b/Makefile @@ -0,0 +1,26 @@ +ifndef VERSION +$(error VERSION is undefined) +endif + +TAG?=latest +ORG?=cccs + +ifneq ($(ORG)x, x) +ORG:=$(ORG)/ +endif +ifneq ($(REGISTRY)x, x) +ORG:=$(REGISTRY)/ +endif + +.PHONY: default +default: build + +.PHONY: build +build: + docker build \ + --pull \ + --build-arg version=$(VERSION) \ + --build-arg branch=stable \ + -t $(REGISTRY)$(ORG)assemblyline-service-apivector:$(TAG)\ + -f ./Dockerfile \ + . diff --git a/README.md b/README.md index 8996b57..2a09645 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,14 @@ -# ApiVector Service +[![Discord](https://img.shields.io/badge/chat-on%20discord-7289da.svg?sanitize=true)](https://discord.gg/GUAy9wErNu) +[![](https://img.shields.io/discord/908084610158714900)](https://discord.gg/GUAy9wErNu) +[![Static Badge](https://img.shields.io/badge/github-assemblyline-blue?logo=github)](https://github.com/CybercentreCanada/assemblyline) +[![Static Badge](https://img.shields.io/badge/github-assemblyline\_service\_apivector-blue?logo=github)](https://github.com/CybercentreCanada/assemblyline-service-apivector) +[![GitHub Issues or Pull Requests by label](https://img.shields.io/github/issues/CybercentreCanada/assemblyline/service-apivector)](https://github.com/CybercentreCanada/assemblyline/issues?q=is:issue+is:open+label:service-apivector) +[![License](https://img.shields.io/github/license/CybercentreCanada/assemblyline-service-apivector)](./LICENSE) +# APIVector Service + +This service extracts library imports from windows PE files or memory dump to generate api vector classification. + +## Service Details [ApiScout](https://github.com/danielplohmann/apiscout) uses common Windows API calls to build a representation of them called an ApiVector. @@ -12,7 +22,7 @@ See the following links for technical details: * Code on GitHub - https://github.com/danielplohmann/apiscout * Blog post - http://byte-atlas.blogspot.com/2017/04/apiscout.html -**NB** : In order for the ApiVector AL service to work you need to +**NB** : In order for the APIVector AL service to work you need to 1. Set the MALPEDIA_APIKEY as an environment variable @@ -42,3 +52,71 @@ The following service configuration options are available: # * 0.32 leads to a TPR/FPR of 86.55% and 0.99% # * 0.55 leads to a TPR/FPR of 80.72% and 0.09% "min_jaccard": 0.40 + +## Image variants and tags + +Assemblyline services are built from the [Assemblyline service base image](https://hub.docker.com/r/cccs/assemblyline-v4-service-base), +which is based on Debian 11 with Python 3.11. + +Assemblyline services use the following tag definitions: + +| **Tag Type** | **Description** | **Example Tag** | +| :----------: | :----------------------------------------------------------------------------------------------- | :------------------------: | +| latest | The most recent build (can be unstable). | `latest` | +| build_type | The type of build used. `dev` is the latest unstable build. `stable` is the latest stable build. | `stable` or `dev` | +| series | Complete build details, including version and build type: `version.buildType`. | `4.5.stable`, `4.5.1.dev3` | + +## Running this service + +This is an Assemblyline service. It is designed to run as part of the Assemblyline framework. + +If you would like to test this service locally, you can run the Docker image directly from the a shell: + + docker run \ + --name Apivector \ + --env SERVICE_API_HOST=http://`ip addr show docker0 | grep "inet " | awk '{print $2}' | cut -f1 -d"/"`:5003 \ + --network=host \ + cccs/assemblyline-service-apivector + +To add this service to your Assemblyline deployment, follow this +[guide](https://cybercentrecanada.github.io/assemblyline4_docs/developer_manual/services/run_your_service/#add-the-container-to-your-deployment). + +## Documentation + +General Assemblyline documentation can be found at: https://cybercentrecanada.github.io/assemblyline4_docs/ + +# Service APIVector + +Ce service extrait les importations de libraries des executables Windows ou des fichiers mémoire pour générer une classification vectorielle des api. + +## Variantes et étiquettes d'image + +Les services d'Assemblyline sont construits à partir de l'image de base [Assemblyline service](https://hub.docker.com/r/cccs/assemblyline-v4-service-base), +qui est basée sur Debian 11 avec Python 3.11. + +Les services d'Assemblyline utilisent les définitions d'étiquettes suivantes: + +| **Type d'étiquette** | **Description** | **Exemple d'étiquette** | +| :------------------: | :------------------------------------------------------------------------------------------------------------- | :------------------------: | +| dernière version | La version la plus récente (peut être instable). | `latest` | +| build_type | Type de construction utilisé. `dev` est la dernière version instable. `stable` est la dernière version stable. | `stable` ou `dev` | +| série | Détails de construction complets, comprenant la version et le type de build: `version.buildType`. | `4.5.stable`, `4.5.1.dev3` | + +## Exécution de ce service + +Il s'agit d'un service d'Assemblyline. Il est optimisé pour fonctionner dans le cadre d'un déploiement d'Assemblyline. + +Si vous souhaitez tester ce service localement, vous pouvez exécuter l'image Docker directement à partir d'un terminal: + + docker run \ + --name Apivector \ + --env SERVICE_API_HOST=http://`ip addr show docker0 | grep "inet " | awk '{print $2}' | cut -f1 -d"/"`:5003 \ + --network=host \ + cccs/assemblyline-service-apivector + +Pour ajouter ce service à votre déploiement d'Assemblyline, suivez ceci +[guide](https://cybercentrecanada.github.io/assemblyline4_docs/fr/developer_manual/services/run_your_service/#add-the-container-to-your-deployment). + +## Documentation + +La documentation générale sur Assemblyline peut être consultée à l'adresse suivante: https://cybercentrecanada.github.io/assemblyline4_docs/ diff --git a/api_vector/__init__.py b/apivector/__init__.py similarity index 100% rename from api_vector/__init__.py rename to apivector/__init__.py diff --git a/api_vector/api_vector.py b/apivector/apivector.py similarity index 96% rename from api_vector/api_vector.py rename to apivector/apivector.py index da5c996..4cc041a 100755 --- a/api_vector/api_vector.py +++ b/apivector/apivector.py @@ -21,7 +21,7 @@ classification = forge.get_classification() -class API_VECTOR(ServiceBase): +class APIVector(ServiceBase): def __init__(self, config=None): super().__init__(config) self.collection_filepaths = {} @@ -32,13 +32,12 @@ def _load_rules(self) -> None: source = Path(signature_path).name temp_list[source] = { "path": signature_path, - "classification": self.signatures_meta[source]['classification'], + "classification": self.signatures_meta[source]["classification"], } self.log.info(f"Will load the following files: {temp_list}") self.collection_filepaths = temp_list def start(self): - self.log.info("Starting API_VECTOR") winapi_file = os.path.join(os.path.dirname(__file__), "winapi1024v1.txt") self.apivector = ApiVector.ApiVector(winapi_file) self.apiQR = ApiQR(winapi_file) diff --git a/api_vector/ordlookup/__init__.py b/apivector/ordlookup/__init__.py similarity index 100% rename from api_vector/ordlookup/__init__.py rename to apivector/ordlookup/__init__.py diff --git a/api_vector/ordlookup/oleaut32.py b/apivector/ordlookup/oleaut32.py similarity index 100% rename from api_vector/ordlookup/oleaut32.py rename to apivector/ordlookup/oleaut32.py diff --git a/api_vector/ordlookup/ws2_32.py b/apivector/ordlookup/ws2_32.py similarity index 100% rename from api_vector/ordlookup/ws2_32.py rename to apivector/ordlookup/ws2_32.py diff --git a/api_vector/updater.py b/apivector/updater.py similarity index 100% rename from api_vector/updater.py rename to apivector/updater.py diff --git a/api_vector/winapi1024v1.txt b/apivector/winapi1024v1.txt similarity index 100% rename from api_vector/winapi1024v1.txt rename to apivector/winapi1024v1.txt diff --git a/pkglist.txt b/pkglist.txt new file mode 100644 index 0000000..e69de29 diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000..5d3b53f --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,2 @@ +[tool.cruft] +skip = ["pkglist.txt", "README.md", "apivector", "tests"] diff --git a/requirements.txt b/requirements.txt index df947ee..74afdb9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,4 @@ +assemblyline +assemblyline-v4-service apiscout lief==0.13.2 diff --git a/service_manifest.yml b/service_manifest.yml index c9030c8..7c5f96e 100644 --- a/service_manifest.yml +++ b/service_manifest.yml @@ -1,21 +1,25 @@ name: APIVector version: $SERVICE_TAG -description: >- - This service extracts library imports from windows PE files or memory dump to generate api vector classification. +description: This service extracts library imports from windows PE files or memory dump to generate api vector classification. +# Regex defining the types of files the service accepts and rejects accepts: executable/windows rejects: empty|metadata/.* +# At which stage the service should run (one of FILTER, EXTRACT, CORE, SECONDARY, POST, REVIEW) +# NOTE: Stages are executed in the order defined in the list stage: CORE +# Which category the service is part of (one of Antivirus, Dynamic Analysis, External, Extraction, Filtering, Internet Connected, Networking, Static Analysis) category: Static Analysis +# Does the service require access to the file to perform its task +# If set to false, the service will only have access to the file metadata (e.g. Hashes, size, type, ...) file_required: true +# Maximum execution time the service has before it's considered to be timed out timeout: 60 -disable_cache: false +# is the service enabled by default enabled: true -is_external: false -licence_count: 0 privileged: true config: @@ -23,9 +27,20 @@ config: min_jaccard_info: 40 min_jaccard_tag: 80 +# Service heuristic blocks: List of heuristic objects that define the different heuristics used in the service +# heuristics: +# - description: This is a demo heuristic +# filetype: "*" +# heur_id: 1 +# name: Demo +# score: 100 + +# Docker configuration block which defines: +# - the name of the docker container that will be created +# - CPU and ram allocation by the container docker_config: image: ${REGISTRY}cccs/assemblyline-service-apivector:$SERVICE_TAG - cpu_cores: 1 + cpu_cores: 1.0 ram_mb: 512 dependencies: diff --git a/tests/gentests.py b/tests/gentests.py new file mode 100755 index 0000000..7ae6dde --- /dev/null +++ b/tests/gentests.py @@ -0,0 +1,30 @@ +#!/bin/env python +import os + +from assemblyline.common.importing import load_module_by_path +from assemblyline_service_utilities.testing.helper import TestHelper + +cwd = os.getcwd() +# Force manifest location +os.environ["SERVICE_MANIFEST_PATH"] = os.path.join(cwd, "service_manifest.yml") + +# Setup folder locations +RESULTS_FOLDER = os.path.join(cwd, "tests", "results") +SAMPLES_FOLDER = os.path.join(cwd, "tests", "samples") + +# Find which module we're working on +module = os.environ.get("SERVICE_PATH") +if not module: + for line in open("Dockerfile", "r").readlines(): + if line.startswith("ENV SERVICE_PATH"): + module = line[17:].strip() + break + +# Initialize test helper +service_class = load_module_by_path(module, cwd) +if os.path.exists(SAMPLES_FOLDER): + th = TestHelper(service_class, RESULTS_FOLDER, SAMPLES_FOLDER) +else: + th = TestHelper(service_class, RESULTS_FOLDER) + +th.regenerate_results(save_files=False) diff --git a/tests/gentests.sh b/tests/gentests.sh new file mode 100755 index 0000000..58a159f --- /dev/null +++ b/tests/gentests.sh @@ -0,0 +1,22 @@ +#!/bin/bash +docker build \ + --pull \ + --build-arg branch=stable \ + -t ${PWD##*/}:gentests \ + -f ./Dockerfile \ + . + +if [[ -n "$FULL_SAMPLES_LOCATION" ]]; then + MOUNT_SAMPLES="-v ${FULL_SAMPLES_LOCATION}:/opt/samples" + ENV_SAMPLES="-e FULL_SAMPLES_LOCATION=/opt/samples" +fi +docker run \ + -t\ + --rm \ + -e FULL_SELF_LOCATION=/opt/al_service \ + $ENV_SAMPLES \ + -v /usr/share/ca-certificates/mozilla:/usr/share/ca-certificates/mozilla \ + -v $(pwd)/tests/:/opt/al_service/tests/ \ + $MOUNT_SAMPLES \ + ${PWD##*/}:gentests \ + bash -c "pip install -U -r tests/requirements.txt; python /opt/al_service/tests/gentests.py" diff --git a/tests/pytest.sh b/tests/pytest.sh new file mode 100755 index 0000000..52fc232 --- /dev/null +++ b/tests/pytest.sh @@ -0,0 +1,22 @@ +#!/bin/bash +docker build \ + --pull \ + --build-arg branch=stable \ + -t ${PWD##*/}:pytest \ + -f ./Dockerfile \ + . + +if [[ -n "$FULL_SAMPLES_LOCATION"]]; then + MOUNT_SAMPLES = "-v ${FULL_SAMPLES_LOCATION}:/opt/samples" + ENV_SAMPLES = "-e FULL_SAMPLES_LOCATION=/opt/samples" +fi +docker run \ + -t \ + --rm \ + -e FULL_SELF_LOCATION=/opt/al_service \ + $ENV_SAMPLES \ + -v /usr/share/ca-certificates/mozilla:/usr/share/ca-certificates/mozilla \ + -v $(pwd)/tests/:/opt/al_service/tests/ \ + $MOUNT_SAMPLES \ + ${PWD##*/}:pytest \ + bash -c "pip install -U -r tests/requirements.txt; pytest -p no:cacheprovider --durations=10 -rsx -vv -x" diff --git a/tests/requirements.txt b/tests/requirements.txt new file mode 100644 index 0000000..6e3d947 --- /dev/null +++ b/tests/requirements.txt @@ -0,0 +1,3 @@ +assemblyline +assemblyline-service-utilities +pytest diff --git a/tests/results/da178ddb7a9375f3ce644a75c2acfd9621c0e5cc7b8d376d0785f71fc90e2756/result.json b/tests/results/da178ddb7a9375f3ce644a75c2acfd9621c0e5cc7b8d376d0785f71fc90e2756/result.json new file mode 100644 index 0000000..37d6ad4 --- /dev/null +++ b/tests/results/da178ddb7a9375f3ce644a75c2acfd9621c0e5cc7b8d376d0785f71fc90e2756/result.json @@ -0,0 +1,84 @@ +{ + "extra": { + "drop_file": false, + "score": 0, + "sections": [ + { + "auto_collapse": false, + "body": [ + [ + "IMAGE", + [ + { + "img": { + "description": "QR-like representation of the APIVector", + "name": "apivector_qr.png", + "sha256": "5aedc36e31a0053727096bd727c0a5d96bfe64060e3d36d00d75bce807360103" + }, + "thumb": { + "description": "QR-like representation of the APIVector (thumbnail)", + "name": "apivector_qr.png.thumb", + "sha256": "d348f82f6d6e26478ed4d1a92f1e06eaeaeade1c5622741b7f64be6c70155ffe" + } + } + ], + {} + ], + [ + "ORDERED_KEY_VALUE", + [ + [ + "Vector", + "A99CA3QA5EQA4@AIA3gABEIA13KA5QgCBSAECMAIIoekXLDhxihQ]l+" + ] + ], + {} + ] + ], + "body_config": {}, + "body_format": "MULTI", + "classification": "TLP:C", + "depth": 0, + "heuristic": null, + "promote_to": null, + "tags": { + "vector": [ + "apivector_A99CA3QA5EQA4@AIA3gABEIA13KA5QgCBSAECMAIIoekXLDhxihQ]l+" + ] + }, + "title_text": "ApiVector Information", + "zeroize_on_tag_safe": false + } + ] + }, + "files": { + "extracted": [], + "supplementary": [ + { + "name": "apivector.json", + "sha256": "25acb6d74a1503f4a172008c764a22631ca4dfc7b99cdd11ae1990a0923b341c" + }, + { + "name": "apivector_qr.png", + "sha256": "5aedc36e31a0053727096bd727c0a5d96bfe64060e3d36d00d75bce807360103" + }, + { + "name": "apivector_qr.png.thumb", + "sha256": "d348f82f6d6e26478ed4d1a92f1e06eaeaeade1c5622741b7f64be6c70155ffe" + } + ] + }, + "results": { + "heuristics": [], + "tags": { + "vector": [ + { + "heur_id": null, + "signatures": [], + "value": "apivector_A99CA3QA5EQA4@AIA3gABEIA13KA5QgCBSAECMAIIoekXLDhxihQ]l+" + } + ] + }, + "temp_submission_data": {} + } +} \ No newline at end of file diff --git a/tests/test_apivector.py b/tests/test_apivector.py new file mode 100644 index 0000000..047f73a --- /dev/null +++ b/tests/test_apivector.py @@ -0,0 +1,24 @@ +import os +import time + +import pytest +from assemblyline.common.importing import load_module_by_path +from assemblyline_service_utilities.testing.helper import TestHelper + +# Force manifest location +os.environ["SERVICE_MANIFEST_PATH"] = os.path.join(os.path.dirname(__file__), "..", "service_manifest.yml") + +# Setup folder locations +RESULTS_FOLDER = os.path.join(os.path.dirname(__file__), "results") +SAMPLES_FOLDER = os.path.join(os.path.dirname(__file__), "samples") + +# Initialize test helper +service_class = load_module_by_path("apivector.apivector.Apivector", os.path.join(os.path.dirname(__file__), "..")) +th = TestHelper(service_class, RESULTS_FOLDER, SAMPLES_FOLDER) + + +@pytest.mark.parametrize("sample", th.result_list()) +def test_sample(sample): + start_time = time.time() + th.run_test_comparison(sample) + print(f"Time elapsed for {sample}: {round(time.time() - start_time)}s")